IncreaseWKDUsage2021 bachelor thesis

Christoph Klassen is writing his bachelor thesis (at Intevation) about how usage of WKD can be furthered. Bernhard Reiter does the mentoring, see gnupg-devel@ for discussion and for contacting Christoph or Bernhard.

Started at 2021-10

Goal

WKD is easy to implement and brings the advantage of good usability. Because of that it is desirable to spread it and increase its usage. The question is how to do that and which is the best way. More concrete: Which measures fit best to spread the WKD standard. This measures are taken from the area of software engineering and include documentation, testing and implementation. They will be applied to different products that are Free Software.

Difficulty

It is necessary to evaluate the success of different measures to tell which one was the most effective one. It is not possible to track users while using their products, because one main promise of the products is to protect users privacy. So there have to be other ways to measure the success. One idea is to log the WKD calls on a server, which has much traffic. Please contact Bernhard or Christoph when you have these possibilities or know someone who could do this service. It would be very helpful!
This idea would help to evaluate the success of all measures overall. Additionally, it would be of great value, if there would be a way to differentiate between the measures. Maybe the statistics could show a correlation between measures and increase of WKD calls.

Use Cases

It is necessary to define use cases, so it is easier to speak about how to implement the WKD-standard. These use cases were written by using Cockburns template [1].

Use Case #1: Write an encrypted email

Goal: Sending a confidential message.
Precondition:

An email-client, which uses the OpenPGP-standard, was installed
The person, who wants to write the email, does not have the pubkey of the receiver yet
The receiver did create a pubkey and made it available on a WKD server
The pubkey of the receiver needs to be fetched automatically

Success: An encrypted email was sent
Failure:

An unencrypted email was sent
No email was sent
The receiver cannot decrypt the encrypted email

Actors: A random person
Trigger: A person wants to write a confidential message to another person in a way that no other person can read its contents.
Description:

Person opens the email-client
Person opens the window to compose an email
Person enters address, subject and message
Person sends the email

Extensions:

Person checks, if the email really can be encrypted, before trying to send it
Person checks, if the pubkey is trustworthy
Person checks, how trustworthy the pubkey is

Use Case #2: Validate the signature of an email

Goal: Check, if an email was written by the person, whose email address was used.
Precondition:

An email-client, which uses the OpenPGP-standard, was installed
The person, who sent the email, created a pubkey and made it available on a WKD-server
The pubkey of the sender needs to be fetched automatically
The person, who wants to check the signature, does not have the pubkey of the sender yet

Success: The signature of the email could be checked
Failure: The signature of the email could not be checked
Actors: A random person
Trigger: A person receives an email with important information and wants to know, if it was really written by the person, whose address was used to send the email.
Description:

Person opens the email-client
Person opens received email
Person sees if the signature of the email is valid

Extensions:

Person checks, if the pubkey, which was used to check the signature of the received email, is trustworthy
Person checks, how trustworthy the pubkey is, which was used to check the signature of the received email

Criterions for implementing WKD with a good usability (Draft)

The product is compatible to the last version of the WKD-standard
WKD is enabled by default.
It is documented in the user documentation that WKD is used in the product. If users did not know that a product implements the WKD-standard and they read the user documentation, there is a chance that they find out about WKD and start to use it.
WKD is used automatically. The users do not have to press a button to retrieve a key via WKD.
WKD is used, when users enter an email, whose pubkey they do not own yet. When users have to search for a key manually, the button should be in the area, where they can write an email.
WKD is used, when users validate the signature of an email. When users have to search for a key manually, the button should be in the area, where they can check the signature.
The UI of the product shows, if a pubkey has a basic trust level, right where the user needs this information (in the area to compose an email or check a signature)
The UI shows, how trustworthy a pubkey is in an interval of different steps (Here is some information about trust levels).

Another way to evaluate products is to do a heuristic evaluation. Jakob Nielson created ten different heuristics to examine the usability of products. On [2] is a recent article, where he summarizes the heuristics. The essence of these heuristics is that users want to be able to predict the softwares behavior and to have the feeling of control about the software. Therefore it is necessary that the application gives users enough information to know, what is going on. On the other hand users shouldn't be overwhelmed with to much information or too many choices and UI elements. It is also important that a software is consistent in itself and with other applications, which the users also use, so they can re-use their experience.

State of products and progress

Here it will be described what state different products had at the beginning of the work and what measures were taken to increase the usage of WKD.

Overview

Criterion\Product	Mailvelope	Claws Mail	FairEmail	K9Mail	KMail	Thunderbird
The product is compatible to the last version of the WKD-standard	no	yes	no	no	yes	no
WKD is enabled by default	?	no°	yes	yes	no	yes
WKD is used automatically	yes	no	no	no	yes	no
WKD is available, when composing an email	yes	no	no	no	yes	no°°
WKD is available, when checking a signature	?	?	no	no	?	no

°: WKD is enabled automatically, but encryption has to be enabled manually, so WKD can't be used with a clean installation.
°°: Users need to click on some buttons and open two additional windows before they can search for a key via WKD, so the WKD-button is a bit more hidden.

Mailvelope

Previous state (analyzed version 4.4.1)

Does use WKD
The implementation is not up-to-date since it doesn't contain the advanced method
There is an issue for the advanced method on Github: https://github.com/mailvelope/mailvelope/issues/774

Measures

As part of this work a branch was created to implement the advanced method: https://github.com/c8k/mailvelope

Claws Mail

Previous state (analyzed version 3.18.0)

Integrated WKD since version 3.18.0 / 4.0.0
Pubkeys can only be retrieved, when users get an encrypted email
How to enable encryption and use WKD can be found on this wiki page

Measures

Request: In the compose window users can right-click on an email address to open a context menu, where they can e.g. add this address to their address book. To give users the possibility to retrieve keys of email addresses, from which they didn't receive an email yet, it was requested to implement another action to do just that. Optionally, this action could be shown only, if the user enabled a privacy system.
Request: Automatically enable a privacy system as soon as an user adds one, when loading a plugin.

FairEmail/ K9Mail

Previous state

Use OpenKeyChain to retrieve keys via WKD and encrypt emails
It is necessary to open OpenKeyChain to retrieve keys. This step is not possible in the GUI of the products
OpenKeyChain is not compatible with the last version of the WKD-standard because it uses the direct method, even if the subdomain "openpgpkey" exists

FairEmail

Previous state (analyzed version 1.1776)

Heuristic Evaluation of FairEmail

Measures

Requested an easier way to open the OpenKeyChain app, so users can open it from FairEmail and don't have to go to the settings of the phone to start the OpenKeyChain app there.
Reported a bug: When an encrypted mail was recieved and that mail was decrypted with FairEmail, a message appeared saying, that the mail isn't signed. But when the mail is decrypted there is an icon left of the lock icon and after a tap on it, a message appears, which tells that the signature is valid. So the first message seems to be incorrect.
- Was fixed in a newer version
Recommended to edit the UI in the compose window. There are three icons. Two of them can be interacted with and one not, but all of them have the same style (no borders, no background, same color etc.). To be more consistent it was suggested to remove the icon without function or to adjust the style of the icons, so that the one, which can't be interacted with, has a different style.
- The icons got different colors in a newer version

K9Mail

Previous state (analyzed version 5.806)

coming soon

KMail

Serves as a reference in this work
It was analyzed (version 5.18.3), but no measures were taken
KMail implements the latest WKD-standard
WKD is not enabled by default. How to change this can be found here.
Pubkeys are fetched automatically, if WKD is enabled.

Thunderbird

Was also only analyzed (version 97.0a1) because it will probably be difficult to contribute to such an extensive product
Implements parts of the WKD-standard
If a key is not available, the direct method will be used, even if the subdomain openpgpkey exists. This is not compliant with the standard.
WKD is enabled by default...
...but the search has to be started manually.
It is mentioned that Thunderbird uses WKD in the user documentation.
WKD can be used in the composing window.
There is a button (see Screenshot) to retrieve the pubkey to check the signature, but the search does not include WKD.
Users can choose, if they accept a pubkey for encryption and tell, if they have verified the key (see Screenshot). When they write an email, they don't see any information about a pubkey. When they open a received signed email, they see an icon, which depicts, if they accepted the key. So, Thunderbird itself doesn't inform, if a pubkey is trustworthy, but the user has to decide, if that is the case.
There is no additional information about the trustworthiness of a pubkey.

mail.de

The email-provider mail.de is a special case in this work because it represents the server-side of WKD and not the client-side as the other products.

Previous state

It was found out that mail.de did offer a WKD-server, where users could upload their keys via the settings of mail.de
A test with GnuPG (gpg -vv --locate-keys --auto-key-locate clear,nodefault,wkd) showed that it was not possible to get the key via WKD
Ingo Klöcker found the reason with dirmngr [3]: Resolving openpgpkey.mail.de didn't end with an error, so GnuPG didn't use the direct method of WKD.

Measures

After communicating with Michael Kliewe, the Chief Security Officer from mail.de, a TXT record was created for the domain openpgpkey.mail.de
The result of another test showed that GnuPG now was using the direct method
Michael Kliewe also gave the information that 165 accounts did upload a key on the WKD-server. That means that now there are 165 keys, which can also be retrieved by clients that are implementing the actual WKD-standard

Sources

[1] H. Balzert, Lehrbuch der Softwaretechnik: Basiskonzepte und Requirements Engineering, 3. Edition, Spektrum Akademischer Verlag Heidelberg: 2009
[2] J. Nielsen, 10 Usability Heuristics for User Interface Design, https://www.nngroup.com/articles/ten-usability-heuristics/ [Accessed 15.12.2021].
[3] I. Klöcker, Error when trying to locate key via WKD, https://lists.gnupg.org/pipermail/gnupg-users/2021-October/065510.html, [Accessed 15.12.2021].